<div dir="ltr">Some nicknames changed to protect the innocent. The puppetmaster/hostname cert is nominally unrelated, though its creation was contemporaneous with the disappearance of server-cert so I can't entirely rule it out.<br><div><br>Certificate Nickname Trust Attributes<br> SSL,S/MIME,JAR/XPI<br><br>puppetmaster/hostname u,u,u<br>REALMNAME IPA CA CT,C,C<br>ipaCert u,u,u<br>Signing-Cert u,u,u<br><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 23, 2014 at 12:53 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Eric McCoy wrote:<br>
> Hi all,<br>
><br>
> I somehow destroyed my primary IPA server's Server-Cert in<br>
> /etc/httpd/alias. I don't understand how or why it happened, all I know<br>
> is that I went to restart Apache and it was gone. Apache won't start,<br>
> of course, because the cert is missing. I can't issue a new cert on the<br>
> primary because Apache is down. I tried using the secondary, but it<br>
> fails saying that it can't connect to the web server on the primary<br>
> (it's the same error message I get when I try to issue a cert from the<br>
> primary). I can't figure out how to tell ipa-getcert et al. to talk to<br>
> the secondary and not the primary. I'm not using DNS for service<br>
> discovery, so I'm not sure how the various tools figure out where things<br>
> are.<br>
><br>
> This is all on CentOS 6.5 with IPA 3.0.0-37.<br>
><br>
><br>
<br>
</div></div>What certs do you have in the database?<br>
<br>
# certutil -L -d /etc/httpd/alias<br>
<span class="HOEnZb"><font color="#888888"><br>
rob<br>
</font></span></blockquote></div><br></div>